The first method is the PTW method (Pychkine, Tews, Weinmann). The PTW method is fully described in the paper found on [[http://​www.cdc.informatik.tu-darmstadt.de/​aircrack-ptw/​|this web site]]. ​ In 2005, Andreas Klein presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir and these may be additionally used to break WEP. The PTW method extends Klein'​s attack and optimizes it for usage against WEP. It essentially uses enhanced FMS techniques described in the following section. ​ One particularly important constraint is that it only works with arp request/​reply packets and cannot be employed against other traffic.

+

The first method is the PTW method (Pychkine, Tews, Weinmann). The PTW method is fully described in the paper found on [[https://​web.archive.org/​web/​20070714194826/​http://​www.cdc.informatik.tu-darmstadt.de/​aircrack-ptw/​|this web site]]. ​ In 2005, Andreas Klein presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir and these may be additionally used to break WEP. The PTW method extends Klein'​s attack and optimizes it for usage against WEP. It essentially uses enhanced FMS techniques described in the following section. ​ One particularly important constraint is that it only works with arp request/​reply packets and cannot be employed against other traffic.

The second method is the FMS/Korek method which incorporates multiple techniques. ​ The [[links#​technique_papers|Techniques Papers]] on the links page lists many papers which describe these techniques in more detail and the mathematics behind them.

The second method is the FMS/Korek method which incorporates multiple techniques. ​ The [[links#​technique_papers|Techniques Papers]] on the links page lists many papers which describe these techniques in more detail and the mathematics behind them.

Line 156:

Line 156:

===== Usage Examples =====

===== Usage Examples =====

==== WEP ====

==== WEP ====

-

The simplest case is to crack a WEP key. If you want to try this out yourself, here is a test [[http://​download.aircrack-ng.org/​wiki-files/​other/​test.ivs|file]]. ​ The key to the test file matches the screen image above, it does not match the following example.

+

The simplest case is to crack a WEP key. If you want to try this out yourself, here is a test [[https://​download.aircrack-ng.org/​wiki-files/​other/​test.ivs|file]]. ​ The key to the test file matches the screen image above, it does not match the following example.

-

aircrack-ng 128bit.ivs\\ ​

+

aircrack-ng ​-K 128bit.ivs\\ ​

Where:

Where:

*128bit.ivs is the file name containing IVS.

*128bit.ivs is the file name containing IVS.

+

*-K: Use KoreK attacks only

The program responds:

The program responds:

Line 177:

Line 178:

The cracking process starts and once cracked, here is what it looks like:

The cracking process starts and once cracked, here is what it looks like:

-

Aircrack-ng ​0.7 r130

+

Aircrack-ng ​1.4

​

​

​

​

Line 232:

Line 233:

Here is a sample of the output:

Here is a sample of the output:

-

Aircrack-ng ​0.7 r247

+

Aircrack-ng ​1.4

Line 270:

Line 271:

Then:

Then:

-

Aircrack-ng ​0.9

+

Aircrack-ng ​1.4

[00:01:18] Tested 0/140000 keys (got 30680 IVs)

[00:01:18] Tested 0/140000 keys (got 30680 IVs)

Line 308:

Line 309:

Notice in this case that since there are multiple networks we need to select which one to attack. ​ We select number 2. The program then responds:

Notice in this case that since there are multiple networks we need to select which one to attack. ​ We select number 2. The program then responds:

-

​Aircrack-ng ​0.7 r130

+

​Aircrack-ng ​1.4

​

​

​

​

Line 391:

Line 392:

While aircrack-ng is running, you mostly just see the beginning of the key. Although the secret WEP key is unknown at this point, there may be clues to speed things up. If the key bytes have a fairly large number of votes, then they are likely 99.5% correct. ​ So lets look at what you can do with these clues.

While aircrack-ng is running, you mostly just see the beginning of the key. Although the secret WEP key is unknown at this point, there may be clues to speed things up. If the key bytes have a fairly large number of votes, then they are likely 99.5% correct. ​ So lets look at what you can do with these clues.

-

If the bytes (likely secret keys) are for example: 75:​47:​99:​22:​50 then it is quite obvious, that the whole key may consist only of numbers, like the first 5 bytes. ​ So it MAY improve your cracking speed to use the -t option only when trying such keys. See [[http://​en.wikipedia.org/​wiki/​Binary-coded_decimal|Wikipedia Binary Coded Decimal]] for a description of what characters -t looks for.

+

If the bytes (likely secret keys) are for example: 75:​47:​99:​22:​50 then it is quite obvious, that the whole key may consist only of numbers, like the first 5 bytes. ​ So it MAY improve your cracking speed to use the -t option only when trying such keys. See [[https://​en.wikipedia.org/​wiki/​Binary-coded_decimal|Wikipedia Binary Coded Decimal]] for a description of what characters -t looks for.

If the bytes are 37:​30:​31:​33:​36 which are all numeric values when converted to Ascii, it is a good idea to use -h option. ​ The FAQ entry [[faq#​how_do_i_convert_the_hex_characters_to_ascii|Converting hex characters to ascii]] provides links to determine if they are all numeric.

If the bytes are 37:​30:​31:​33:​36 which are all numeric values when converted to Ascii, it is a good idea to use -h option. ​ The FAQ entry [[faq#​how_do_i_convert_the_hex_characters_to_ascii|Converting hex characters to ascii]] provides links to determine if they are all numeric.

Line 417:

Line 418:

If you wish to experiment a bit with converting HEX to ASCII, see this [[faq#​how_do_i_convert_the_hex_characters_to_ascii|FAQ entry]].

If you wish to experiment a bit with converting HEX to ASCII, see this [[faq#​how_do_i_convert_the_hex_characters_to_ascii|FAQ entry]].

-

We do not specifically provide support or the details on how to configure your wireless card to connect to the AP. For linux, this [[http://​wirelessdefence.org/​Contents/​LinuxWirelessCommands.htm|page]] has an excellent writeup. ​ As well, search the internet for this information regarding linux and Windows systems. ​ As well, see the documentation for your card's wireless client. ​ If you are using linux, check the mailing lists and forums specific to the distribution.

+

We do not specifically provide support or the details on how to configure your wireless card to connect to the AP. For linux, this [[https://​web.archive.org/​web/​20080212235953/​http://​wirelessdefence.org/​Contents/​LinuxWirelessCommands.htm|page]] has an excellent writeup. ​ As well, search the internet for this information regarding linux and Windows systems. ​ As well, see the documentation for your card's wireless client. ​ If you are using linux, check the mailing lists and forums specific to the distribution.

Additionally,​ Aircrack-ng prints out a message indicating the likelihood that the key is correct. ​ It will look something similar to "​Probability:​ 100%"​. ​ Aircrack-ng tests the key against some packets to confirm the key is correct. ​ Based on these tests, it prints the probability of a correct key.

Additionally,​ Aircrack-ng prints out a message indicating the likelihood that the key is correct. ​ It will look something similar to "​Probability:​ 100%"​. ​ Aircrack-ng tests the key against some packets to confirm the key is correct. ​ Based on these tests, it prints the probability of a correct key.

Line 433:

Line 434:

So there is no way to know the how long the original passphrase was. It could as short as one character. ​ It all depends on the who developed the software.

So there is no way to know the how long the original passphrase was. It could as short as one character. ​ It all depends on the who developed the software.

-

Knowing all this, if you still wish to try to obtain the original passphrase, Latin SuD has a tool which attempts reverse the process. Click [[http://​www.latinsud.com/​wepconv.html|here]] for the tool.

+

Knowing all this, if you still wish to try to obtain the original passphrase, Latin SuD has a tool which attempts reverse the process. Click [[https://​www.latinsud.com/​wepconv.html|here]] for the tool.

Nonetheless,​ these passphrases result in a WEP Key that is as easily cracked as every other WEP Key. The exact conversion method really does not matter in the end.

Nonetheless,​ these passphrases result in a WEP Key that is as easily cracked as every other WEP Key. The exact conversion method really does not matter in the end.

Line 448:

Line 449:

* [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wpa.cap|wpa.cap]]: ​ This is a sample file with a wpa handshake. ​ It is located in the "​test"​ directory of the install files. ​ The passphrase is "​biscotte"​. ​ Use the password file (password.lst) which is in the same directory.

* [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wpa.cap|wpa.cap]]: ​ This is a sample file with a wpa handshake. ​ It is located in the "​test"​ directory of the install files. ​ The passphrase is "​biscotte"​. ​ Use the password file (password.lst) which is in the same directory.

* [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wpa2.eapol.cap|wpa2.eapol.cap]]:​ This is a sample file with a wpa2 handshake. ​ It is located in the "​test"​ directory of the install files. ​ The passphrase is "​12345678"​. ​ Use the password file (password.lst) which is in the same directory.

* [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wpa2.eapol.cap|wpa2.eapol.cap]]:​ This is a sample file with a wpa2 handshake. ​ It is located in the "​test"​ directory of the install files. ​ The passphrase is "​12345678"​. ​ Use the password file (password.lst) which is in the same directory.

-

* [[http://​download.aircrack-ng.org/​wiki-files/​other/​test.ivs|test.ivs]]:​ This is a 128 bit WEP key file. The key is "​AE:​5B:​7F:​3A:​03:​D0:​AF:​9B:​F6:​8D:​A5:​E2:​C7"​.

+

* [[https://​download.aircrack-ng.org/​wiki-files/​other/​test.ivs|test.ivs]]:​ This is a 128 bit WEP key file. The key is "​AE:​5B:​7F:​3A:​03:​D0:​AF:​9B:​F6:​8D:​A5:​E2:​C7"​.

* [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wep_64_ptw.cap|ptw.cap]]:​ This is a 64 bit WEP key file suitable for the PTW method. ​ The key is "​1F:​1F:​1F:​1F:​1F"​.

* [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wep_64_ptw.cap|ptw.cap]]:​ This is a 64 bit WEP key file suitable for the PTW method. ​ The key is "​1F:​1F:​1F:​1F:​1F"​.

* [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wpa-psk-linksys.cap|wpa-psk-linksys.cap]]:​ This is a sample file with a WPA1 handshake along with some encrypted packets. Useful for testing with airdecap-ng. The password is "​dictionary"​.

* [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wpa-psk-linksys.cap|wpa-psk-linksys.cap]]:​ This is a sample file with a WPA1 handshake along with some encrypted packets. Useful for testing with airdecap-ng. The password is "​dictionary"​.

Line 457:

Line 458:

Dictionaries used for WPA/WPA bruteforcing need to contain one passphrase per line.

Dictionaries used for WPA/WPA bruteforcing need to contain one passphrase per line.

-

The linux and Windows end of line format is slightly different. ​ See this [[http://​en.wikipedia.org/​wiki/​Line_feed|Wikipedia entry]] for details. There are conversion tools are available under both linux and Windows which can convert one format to another. ​ As well, editors are available under both operating systems which can edit both formats correctly. ​ It is up to the reader to use an Internet search engine to find the appropriate tools.

+

The linux and Windows end of line format is slightly different. ​ See this [[https://​en.wikipedia.org/​wiki/​Line_feed|Wikipedia entry]] for details. There are conversion tools are available under both linux and Windows which can convert one format to another. ​ As well, editors are available under both operating systems which can edit both formats correctly. ​ It is up to the reader to use an Internet search engine to find the appropriate tools.

However both types should work with the linux or Windows versions of aircrack-ng. ​ Thus, you really don't need to convert back and forth.

However both types should work with the linux or Windows versions of aircrack-ng. ​ Thus, you really don't need to convert back and forth.

Line 465:

Line 466:

Although it is not part of aircrack-ng,​ it is worth mentioning an interesting piece of work is by SuD. It is basically a wep hex dictionary already prepared and the program to run it:

Although it is not part of aircrack-ng,​ it is worth mentioning an interesting piece of work is by SuD. It is basically a wep hex dictionary already prepared and the program to run it:

-

http://​www.latinsud.com/​pub/​wepdict/​

+

https://​www.latinsud.com/​pub/​wepdict/​

Line 474:

Line 475:

So here are two tools to split capture files:

So here are two tools to split capture files:

-

* http://​www.badpenguin.co.uk/​files/​pcap-util

+

* https://​www.badpenguin.co.uk/​files/​pcap-util

-

* http://​www.badpenguin.co.uk/​files/​pcap-util2

+

* https://​www.badpenguin.co.uk/​files/​pcap-util2

Another technique is to use Wireshark / tshark. ​ You can mark packets then same them to a separate file.

Another technique is to use Wireshark / tshark. ​ You can mark packets then same them to a separate file.

Line 482:

Line 483:

==== How to extract WPA handshake from large capture files ====

==== How to extract WPA handshake from large capture files ====

-

Sometimes you have a very large capture file and would like to extract the WPA/WPA2 handshake packets from it to a separate file. The can be done with "​tshark"​ which is a command line version of the Wireshark suite. ​ Installing the linux version of the [[http://​www.wireshark.org|Wireshark suite]] on your system should also install tshark.

+

Sometimes you have a very large capture file and would like to extract the WPA/WPA2 handshake packets from it to a separate file. The can be done with "​tshark"​ which is a command line version of the Wireshark suite. ​ Installing the linux version of the [[https://​www.wireshark.org|Wireshark suite]] on your system should also install tshark.

The following command will extract all handshake and beacon packets from your pcap capture file and create a separate file with just those packets:

The following command will extract all handshake and beacon packets from your pcap capture file and create a separate file with just those packets:

Aircrack-ng comes with a small dictionary called password.lst. ​ The password.lst file is located in the "​test"​ directory of the source files. ​ This [[faq#​where_can_i_find_good_wordlists|FAQ entry]] has a list of web sites where you can find extensive wordlists (dictionaries). ​ Also see this [[http://​forum.aircrack-ng.org/​index.php?​topic=1373|thread]] on the Forum.

+

Aircrack-ng comes with a small dictionary called password.lst. ​ The password.lst file is located in the "​test"​ directory of the source files. ​ This [[faq#​where_can_i_find_good_wordlists|FAQ entry]] has a list of web sites where you can find extensive wordlists (dictionaries). ​ Also see this [[https://​forum.aircrack-ng.org/​index.php?​topic=1373|thread]] on the Forum.

Determining the WPA/WPA2 passphrase is totally dependent on finding a dictionary entry which matches the passphrase. ​ So a quality dictionary is very important. ​ You can search the Internet for dictionaries to be used. There are many available.

Determining the WPA/WPA2 passphrase is totally dependent on finding a dictionary entry which matches the passphrase. ​ So a quality dictionary is very important. ​ You can search the Internet for dictionaries to be used. There are many available.